Description
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.
Published: 2026-06-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the protobufjs JavaScript library allows a crafted protobuf binary payload to trigger unbounded recursion during the conversion of a decoded message to a plain object or JSON representation. The library’s toObject() function and the custom google.protobuf.Any JSON conversion path lack a depth limit, so deeply nested Any structures exhaust the JavaScript call stack. The result is a denial‑of‑service condition in which the application crashes or becomes unresponsive. The weakness is a form of insecure depth or bounds check, classified as CWE‑674 and CWE‑606.

Affected Systems

The affected product is protobufjs:protobuf.js. Versions earlier than 7.6.1 for the 7.x series and earlier than 8.4.1 for the 8.x series are vulnerable. All releases prior to these patch versions that use the toObject or Any conversion features are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of this denial of service. The EPSS score indicates a very low probability of exploitation, but the vulnerability is still high risk. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be achieved when an application that incorporates protobufjs receives or processes a maliciously crafted protobuf binary from an external source. If the application exposes its protobuf ingestion interface over a network, a remote attacker could trigger the vulnerability by sending a large, deeply nested message. In environments where the incoming data is trusted, the risk is mitigated but not eliminated if the unmarshalling step is used unsafely.

Generated by OpenCVE AI on June 29, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade protobufjs to version 7.6.1 or newer, or to 8.4.1 or newer, depending on the installed major release.
  • If an upgrade cannot be performed immediately, limit the depth of any nested google.protobuf.Any objects or avoid converting untrusted protobuf messages to JSON using toObject or the Any conversion routine.
  • Verify that only trusted data is provided to protobufjs unmarshal calls and incorporate defensive checks or input validation before invoking the vulnerable conversion paths.

Generated by OpenCVE AI on June 29, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wcpc-wj8m-hjx6 protobufjs: Denial of service through unbounded Any expansion during JSON conversion
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Protobuf
Protobuf protobuf
Vendors & Products Protobuf
Protobuf protobuf

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON. This vulnerability is fixed in 7.6.1 and 8.4.1.
Title protobufjs: Denial of service through unbounded Any expansion during JSON conversion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Protobuf Protobuf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:54:24.472Z

Reserved: 2026-05-22T18:47:27.755Z

Link: CVE-2026-48712

cve-icon Vulnrichment

Updated: 2026-06-23T13:50:33.739Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T16:21:21Z

Links: CVE-2026-48712 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:00:05Z

Weaknesses
  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-674

    Uncontrolled Recursion